golang
diff --git a/‎cmd/govulncheck/testdata/testfiles/source-module/source_module_text.ct
Lines changed: 34 additions & 0 deletions b/‎cmd/govulncheck/testdata/testfiles/source-module/source_module_text.ct
Lines changed: 34 additions & 0 deletions
diff --git a/‎cmd/govulncheck/testdata/testfiles/source-package/package_short_curcuits.ct
Lines changed: 310 additions & 0 deletions b/‎cmd/govulncheck/testdata/testfiles/source-package/package_short_curcuits.ct
Lines changed: 310 additions & 0 deletions
diff --git a/‎cmd/govulncheck/testdata/testfiles/source-package/source_package_text.ct
Lines changed: 33 additions & 0 deletions b/‎cmd/govulncheck/testdata/testfiles/source-package/source_package_text.ct
Lines changed: 33 additions & 0 deletions
@@ -0,0 +1,34 @@
+#####
+# Testing that govulncheck doesn't mention calls when it doesn't
+# have callstack information
+$ govulncheck -scan module -C ${moddir}/multientry
+Scanning your code across 2 dependent modules for known vulnerabilities...
+
+=== Informational ===
+
+There are 2 vulnerabilities in modules that you require. Use
+-scan=symbol with govulncheck for more fine grained vulnerability
+detection.
+See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
+
+Vulnerability #1: GO-2022-0969
+    HTTP/2 server connections can hang forever waiting for a clean shutdown that
+    was preempted by a fatal error. This condition can be exploited by a
+    malicious client to cause a denial of service.
+  More info: https://pkg.go.dev/vuln/GO-2022-0969
+  Standard library
+    Found in: net/http@go1.18
+    Fixed in: net/http@go1.18.6
+
+Vulnerability #2: GO-2021-0113
+    Due to improper index calculation, an incorrectly formatted language tag can
+    cause Parse to panic via an out of bounds read. If Parse is used to process
+    untrusted user inputs, this may be used as a vector for a denial of service
+    attack.
+  More info: https://pkg.go.dev/vuln/GO-2021-0113
+  Module: golang.org/x/text
+    Found in: golang.org/x/text@v0.3.5
+    Fixed in: golang.org/x/text@v0.3.7
+
+
+Share feedback at https://go.dev/s/govulncheck-feedback.
@@ -0,0 +1,310 @@
+#####
+# Test that findings with callstacks are not emitted in package mode
+$ govulncheck -json -scan package -C ${moddir}/multientry .
+{
+  "config": {
+    "protocol_version": "v1.0.0",
+    "scanner_name": "govulncheck",
+    "scanner_version": "v0.0.0-00000000000-20000101010101",
+    "db": "testdata/vulndb-v1",
+    "db_last_modified": "2023-04-03T15:57:51Z",
+    "go_version": "go1.18",
+    "scan_level": "package"
+  }
+}
+{
+  "progress": {
+    "message": "Scanning your code and P packages across M dependent modules for known vulnerabilities..."
+  }
+}
+{
+  "osv": {
+    "schema_version": "1.3.1",
+    "id": "GO-2022-0969",
+    "modified": "2023-04-03T15:57:51Z",
+    "published": "2022-09-12T20:23:06Z",
+    "aliases": [
+      "CVE-2022-27664",
+      "GHSA-69cg-p879-7622"
+    ],
+    "details": "HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.",
+    "affected": [
+      {
+        "package": {
+          "name": "stdlib",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "1.18.6"
+              },
+              {
+                "introduced": "1.19.0"
+              },
+              {
+                "fixed": "1.19.1"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "net/http",
+              "symbols": [
+                "ListenAndServe",
+                "ListenAndServeTLS",
+                "Serve",
+                "ServeTLS",
+                "Server.ListenAndServe",
+                "Server.ListenAndServeTLS",
+                "Server.Serve",
+                "Server.ServeTLS",
+                "http2Server.ServeConn",
+                "http2serverConn.goAway"
+              ]
+            }
+          ]
+        }
+      },
+      {
+        "package": {
+          "name": "golang.org/x/net",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.0.0-20220906165146-f3363e06e74c"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "golang.org/x/net/http2",
+              "symbols": [
+                "Server.ServeConn",
+                "serverConn.goAway"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "references": [
+      {
+        "type": "WEB",
+        "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
+      },
+      {
+        "type": "REPORT",
+        "url": "https://go.dev/issue/54658"
+      },
+      {
+        "type": "FIX",
+        "url": "https://go.dev/cl/428735"
+      }
+    ],
+    "credits": [
+      {
+        "name": "Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu"
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-2022-0969"
+    }
+  }
+}
+{
+  "finding": {
+    "osv": "GO-2022-0969",
+    "fixed_version": "v1.18.6",
+    "trace": [
+      {
+        "module": "stdlib",
+        "version": "v1.18.0",
+        "package": "net/http"
+      }
+    ]
+  }
+}
+{
+  "osv": {
+    "schema_version": "1.3.1",
+    "id": "GO-2021-0113",
+    "modified": "2023-04-03T15:57:51Z",
+    "published": "2021-10-06T17:51:21Z",
+    "aliases": [
+      "CVE-2021-38561",
+      "GHSA-ppp9-7jff-5vj2"
+    ],
+    "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.",
+    "affected": [
+      {
+        "package": {
+          "name": "golang.org/x/text",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.3.7"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "golang.org/x/text/language",
+              "symbols": [
+                "MatchStrings",
+                "MustParse",
+                "Parse",
+                "ParseAcceptLanguage"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "references": [
+      {
+        "type": "FIX",
+        "url": "https://go.dev/cl/340830"
+      },
+      {
+        "type": "FIX",
+        "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f"
+      }
+    ],
+    "credits": [
+      {
+        "name": "Guido Vranken"
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-2021-0113"
+    }
+  }
+}
+{
+  "finding": {
+    "osv": "GO-2021-0113",
+    "fixed_version": "v0.3.7",
+    "trace": [
+      {
+        "module": "golang.org/x/text",
+        "version": "v0.3.5"
+      }
+    ]
+  }
+}
+{
+  "finding": {
+    "osv": "GO-2021-0113",
+    "fixed_version": "v0.3.7",
+    "trace": [
+      {
+        "module": "golang.org/x/text",
+        "version": "v0.3.5",
+        "package": "golang.org/x/text/language"
+      }
+    ]
+  }
+}
+{
+  "osv": {
+    "schema_version": "1.3.1",
+    "id": "GO-2020-0015",
+    "modified": "2023-04-03T15:57:51Z",
+    "published": "2021-04-14T20:04:52Z",
+    "aliases": [
+      "CVE-2020-14040",
+      "GHSA-5rcv-m4m3-hfh7"
+    ],
+    "details": "An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.",
+    "affected": [
+      {
+        "package": {
+          "name": "golang.org/x/text",
+          "ecosystem": "Go"
+        },
+        "ranges": [
+          {
+            "type": "SEMVER",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "0.3.3"
+              }
+            ]
+          }
+        ],
+        "ecosystem_specific": {
+          "imports": [
+            {
+              "path": "golang.org/x/text/encoding/unicode",
+              "symbols": [
+                "bomOverride.Transform",
+                "utf16Decoder.Transform"
+              ]
+            },
+            {
+              "path": "golang.org/x/text/transform",
+              "symbols": [
+                "String"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "references": [
+      {
+        "type": "FIX",
+        "url": "https://go.dev/cl/238238"
+      },
+      {
+        "type": "FIX",
+        "url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
+      },
+      {
+        "type": "REPORT",
+        "url": "https://go.dev/issue/39491"
+      },
+      {
+        "type": "WEB",
+        "url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
+      }
+    ],
+    "credits": [
+      {
+        "name": "@abacabadabacaba and Anton Gyllenberg"
+      }
+    ],
+    "database_specific": {
+      "url": "https://pkg.go.dev/vuln/GO-2020-0015"
+    }
+  }
+}
@@ -0,0 +1,33 @@
+#####
+# Testing that govulncheck doesn't mention calls when it doesn't have the relevant info
+$ govulncheck -scan package -C ${moddir}/multientry .
+Scanning your code and P packages across M dependent modules for known vulnerabilities...
+
+=== Informational ===
+
+Found 1 vulnerability in packages that you import. There is also 1
+vulnerability in modules that you require. Use -scan=symbol with
+govulncheck for more fine grained vulnerability detection.
+See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.
+
+Vulnerability #1: GO-2022-0969
+    HTTP/2 server connections can hang forever waiting for a clean shutdown that
+    was preempted by a fatal error. This condition can be exploited by a
+    malicious client to cause a denial of service.
+  More info: https://pkg.go.dev/vuln/GO-2022-0969
+  Standard library
+    Found in: net/http@go1.18
+    Fixed in: net/http@go1.18.6
+
+Vulnerability #2: GO-2021-0113
+    Due to improper index calculation, an incorrectly formatted language tag can
+    cause Parse to panic via an out of bounds read. If Parse is used to process
+    untrusted user inputs, this may be used as a vector for a denial of service
+    attack.
+  More info: https://pkg.go.dev/vuln/GO-2021-0113
+  Module: golang.org/x/text
+    Found in: golang.org/x/text@v0.3.5
+    Fixed in: golang.org/x/text@v0.3.7
+
+
+Share feedback at https://go.dev/s/govulncheck-feedback.